deprecated warnings

[Varun-Chakraborty]

Hey, just tried installing bcrypt to my project and here's the deprecation warnings I am getting, just to notify if any of these are security issues:

npm i bcrypt

npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.

added 57 packages, and audited 178 packages in 5s

just for the reference, I have node of version v20.10.0

[mathdebate09]

I'm having this issue as well another StackOverflow post suggested the same
Stackoverflow post

[cristian2213]

I'm encountering the same problem with the 'npmlog' package. Upon further investigation, I noticed that the package has been archived. It seems that this could be causing the issue.

WARN  3 deprecated subdependencies found: [email protected], [email protected], [email protected]

dependencies:
bcrypt 5.1.1
└─┬ @mapbox/node-pre-gyp 1.0.11
  └─┬ npmlog 5.0.1
    ├── are-we-there-yet 2.0.0
    └── gauge 3.0.2

Node version: v20.11.0

[mathdebate09]

@cristian2213 @Varun-Chakraborty try using bcryptjs
Works exactly same without the issues with archived dependencies

[Varun-Chakraborty]

@mathdebate09 that project was last updated 4 year ago, is it being maintained?

[mathdebate09]

@Varun-Chakraborty i don't exactly know but popular OS communities (theodinproject & fullstackopen) said it's a safe alternative so I didn't check about it

[Varun-Chakraborty]

@mathdebate09 oh great! using it for sometime now, looks good to me

[oom-]

It's getting worst

#18 2.004 npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
#18 2.190 npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
#18 2.216 npm warn deprecated [email protected]: This package is no longer supported.
#18 2.321 npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
#18 2.461 npm warn deprecated [email protected]: This package is no longer supported.
#18 2.547 npm warn deprecated [email protected]: This package is no longer supported.

[email protected]
└─┬ [email protected]
  └─┬ @mapbox/[email protected]
    ├─┬ [email protected]
    │ ├── [email protected]
    │ └── [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

Last publish of bcryptjs is 7 years ago.

Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".

It seems that to produce an update the author would have to rewrite a big chunk of it.

[...] it is also true to say that it is no longer possible to git clone this repository and run npm install due to deprecated devDependencies - in particular, ClosureCompiler gets a 404 error when trying to install. That does mean if there were ever a need to apply a fix to this library, the whole build component of it would need fixing first.
src: dcodeIO/bcrypt.js#155 (comment)

[lightningspirit]

Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".

Yep, that's the point.

[callenAUS]

I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp.
Looks like that package was last updated on Jul 14, 2023

[Varun-Chakraborty]

I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp. Looks like that package was last updated on Jul 14, 2023

Read about it, and what I understood is since this version of bcrypt is written in C++ we would need a binary to get it working with Node.js, so either we compile it on our own using C++ compiler or if available for our OS, use this prebuilt binary from node-pre-gyp, so updating that is not a concern since bcrypt itself is some 9 to 10 months old, what we were talking about are the packages like inflight, which is causing memory leak and crashing up the program

[ebosetalee]

@Varun-Chakraborty @mapbox/node-pre-gyp uses rimraf@3xx which stopped using @glob @inflight from version 4.0, isaacs/rimraf#309 like last month (May 2024) so it'll take a while for the changes to reflect in various packages that depend on those

[vnc-tech]

Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay?
"dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }

These were the only warnings that showed up after installing:

"
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.
"

What do you guys think?

[ostkrok]

This issue actually seems to be fixed in main with this commit.

I think many of us would welcome a new release so we can get rid of the deprecation warnings.

@recrsn Would it be possible to create a new patch release from main?

[MegaDhakse2]

I am also getting the same warnings.. It would be better if we have a new patch.
Thanks in advance!!😊

Node : 20.18.0

[cogilv25]

Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay? "dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }

These were the only warnings that showed up after installing:

" npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. "

What do you guys think?

Well.. not knowing anything about it I'm trying this 😃 Am I making headaches for myself later..?

[Varun-Chakraborty]

Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay? "dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }

These were the only warnings that showed up after installing:

" npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. "

What do you guys think?

Well.. not knowing anything about it I'm trying this 😃 Am I making headaches for myself later..?

I don't know what exactly the overrides do, will look into it later, but as the name suggest it should be that it overrides the actual dependency, but since the overriden dependency is many major updates different it would break bcrypt, if there's some breaking change in packages that bcrypt didn't handled since its supposed to run on its actual dependency

[cogilv25]

Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay? "dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }
These were the only warnings that showed up after installing:
" npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. "
What do you guys think?

Well.. not knowing anything about it I'm trying this 😃 Am I making headaches for myself later..?

I don't know what exactly the overrides do, will look into it later, but as the name suggest it should be that it overrides the actual dependency, but since the overriden dependency is many major updates different it would break bcrypt, if there's some breaking change in packages that bcrypt didn't handled since its supposed to run on its actual dependency

I finally got round to testing this and it seems to be working fine, I will chuck my test code in here and a screenshot in case I am wrong and some features do not work but I doubt it seeing how simple bcrypt is to use.

bcrypt.hash("My AMAZING Password", 10, (err, hash)=>
	{
		if(err)
			console.log(err);
		else
			console.log(hash);
		console.log("\n\n");
		bcrypt.compare("My AMAZING Password", hash).then((result) => 
			{
				console.log(result ? "BCrypt is working as expected!" : "BCrypt is not working!");
			});
	});

This is running just after my project starts listening for connections so please ignore everything before it dumps the hash. I put a bunch of newlines in to make it easier to pick out. If you modify your package.json as @vnc-tech suggests then run npm update it should all work as expected so far as I can see! Hope this helps everyone out!

[ownupalways]

Wow! wonderful support from everyone.

But bcrypt why now?????

[ConfidentialV]

If you're starting a new project and looking to implement secure password hashing, feel free to try out the argon2 package, which is readily available on npm for Node.js. Argon2 is specifically designed to counter modern hardware-based attacks (such as those using GPUs and ASICs) more effectively than bcrypt.

[dev-garcia]

Subject: Introducing cryptography-password-js - A modern alternative to bcryptjs

Hello everyone,

I’ve been following the discussion here and I understand the frustration regarding the issues with bcryptjs. Many of the challenges mentioned—such as performance and compatibility—are certainly valid concerns in today’s development environment.

To address some of these pain points, I’ve created a new library called cryptography-password-js, which was inspired by bcryptjs but designed with some important improvements that I believe could be beneficial for modern projects.

Here are some key features of cryptography-password-js:

• Zero dependencies, just like bcryptjs, but with the added benefit of native TypeScript support, making it easier to integrate into TypeScript-based projects.
• Fully compatible with the latest versions of Node.js, including the most recent releases.
• Focused on security, providing a robust and reliable hashing solution for both JavaScript and TypeScript projects.
• Designed with a strong emphasis on providing a great developer experience, ensuring ease of use and integration in high-performance applications that require secure password hashing.

I’ve also run some benchmarks, and the results have been quite promising, particularly in terms of performance and memory usage. Given the nature of the concerns discussed here, I believe cryptography-password-js could be a great alternative to explore.

I would like to invite you all to try out cryptography-password-js, give it a test, and share your feedback. If you find it helpful and are interested, feel free to contribute to the project! You can check it out on GitHub here: https://github.com/dev-garcia/cryptography-password-js.git

Your feedback and contributions would be highly appreciated as we continue to improve the project.